Solved

2003 AD GPO Issues

Posted on 2007-11-14
9
223 Views
Last Modified: 2013-11-21
Hi All,
I need to lock down a TS server running QuickBooks. I created the GPO and applied it to an OU called Secure QuickBooks Servers. Within the GPO I defined the required setting including Loopback Processing. The problem I am having is that I have only the QB server computer object in the OU. I also created 2 test accounts for verification. I also have a group call QuickBooks Users which I use for security filtering on the GPO; I have removed the Authenticated Users group.  The GPO will not apply without me adding the test user accounts to the Secure QuickBooks Servers OU which is not an option given that the Policy will then be applied to the user desktops as well ( I think). Is there a way for me to apply the Secure Terminal Server GPO only to the users logging on to the QuickBooks Server, without affecting the administrator or the users desktop environments?

Thank you in advance!


0
Comment
Question by:kbabbing
  • 5
  • 4
9 Comments
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20281622
1. On the QuickBooks Server OU you must have the TS (I assume your QuickBooks server) ONLY.
2. The Policy you will create will apply to the QuickBook Users AND to the TS Computer object (your QuickBooks Server).
3. Loopback Processing mode should be enabled and set to replace.

This will do what you want that is to have the policy applied to these users only when they logon to the TS (QuickBooks Server).

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:kbabbing
ID: 20282956
The problem I am having is that the GPO only applies when the Users and Computer Object reside in the same OU. If I move the test users out of the OU and leave only the Computer object the GPO does not apply. When I run RSOP through GPMC I get all Successes under Component Status but it does end up listed under the Denied GOPs with a reason of Inaccessible.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20283009
On the security you must make sure the policy applies to the Computer object AND to the QuickBooks User group.
Is this how you setup it?

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20283021
Read this as well.
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:kbabbing
ID: 20283347
I do have the security set that way.
Computer Object Read\Apply and The QuickBooks Users Group Read\Apply
0
 

Author Comment

by:kbabbing
ID: 20283379
The Computer Object is one OU and the Users are in another OU
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20283503
And the GPO is created at the OU where the Computers are, correct?

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:kbabbing
ID: 20285972
The GPO is applied\linked at the Secure QuickBooks Server OU which when working has the 2 test accounts and the Computer Object within.   When I move the User accounts into a different OU the GPO will not apply. All security filtering has been confirmed per your request.
0
 

Author Comment

by:kbabbing
ID: 20291898
Thank you I have found the problem. I over looked the fact that I did not have the Group in the same OU as the Computer object. Rookie mistake... You were very helpful!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now